Dear openSUSE on-line friend, how do You test Your servers to ensure they weren't compromised? I have to say I have no idea at all... :-/ Good luck, Vojtěch Dne Čt 10. dubna 2014 10:49:55, Greg Freemyer napsal(a):
Just changing the subject line and re-sending. The old subject implied it was openSUSE 12.1 specific.
This is likely the biggest security event in the Internet's history. 99% or more of all Internet users will have to develop their own PERSONAL remediation plan and follow it.
That is true of Google/Amazon/etc., but it also includes every user that conducts secure transactions across the Internet. Think about and banks, stores, ISPs, SAAS providers, etc. you interact with.
Most problematic will be the 70+ year old that manages their financial holdings via the Internet. They need to follow steps to ensure everything they thought was secure last week is still believed secure this week.
I don't even know enough yet to implement my own remediation plan, but here's a 3-line example out of it:
1 - change bank online password immediately 2 - verify bank was either never susceptible to the heartbleed bug, or that they have remediated it. 3 - once 2) is done, change the password again since it may have been breached between steps 1 & 2.
I have no idea how to implement step 2.
Now magnify that issue for every internet based account I have that I login into.
So that very undefined plan addresses internet passwords.
Next, every credit card transaction conducted over the internet during the last 2 years should be considered potentially breached, so all credit cards / ATM cards need to be re-issued with new cards.
What about PINs? Do they need to be changed? I don't know.
I'm not saying you need to run around like chicken little, but if you think you just have to get the latest security patches and go on with your life, you're wrong.
If you use SSL to serve secure data, keep reading:
---------- Forwarded message ---------- From: Greg Freemyer <greg.freemyer@gmail.com> Date: Thu, Apr 10, 2014 at 9:40 AM Subject: Re: [opensuse] SuSE 12.1 and Heartbleed Bug To: opensuse@opensuse.org
On April 10, 2014 4:45:16 AM EDT, Dsant <forum@votreservice.com> wrote:
Le 10/04/2014 01:22, Cristian Rodríguez a écrit :
El 09/04/14 19:53, Matt Darnell escribió:
Fixes has been released already for 13.1.. zypper patch is your best friend
Will "zypper up" be enough ? Or within some time ?
This is a critical bug/vulnerability with huge impacts. Maybe the worst to ever effect Linux, but it only affects the server side of a SSL connection as I understand it. For most opensuse users it is not an issue from an admin perspective.
As users of the internet, this bug means everything transferred across the internet in the last 2 years that depended solely on SSL for security should be considered potentially breached. That assumes the server end of the connection was running a vulnerable version of openSSL, but as normal users you have to assume that. That means the best practice for all users (including MS users) is to change all passwords used on the internet and watch credit info closely. Then give your internet providers (isps/SAAS providers/banks/stores/auction sites) some time to fix their end and do it all again. I don't know how to test those providers to see if they are secure or not. I'm sure guidance will be forthcoming.
Assuming you are running a server serving encrypted data via openSSL:
Zypper up should be a superset of zypper patch, so yes it should get it but if this is important to you then don't just assume it will work. Get the openSSL patch, install it and read the description of the installed patch to make sure you have it.
Then, if it is important to you, you have a security key you use in conjunction with openSSL to serve secure data. You should consider your key breached. That means that key needs to be replaced with a new one. That is manual work and you may have to go buy a new one if it is a registered key. It should be done after you get the openSSL security patch installed on every machine in your network that uses the same key and openSSL. Normally that is only one machine, but some web farms share a key between machines.
Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/